CentOS7‎ > ‎CentOS7 Desktop‎ > ‎

Cisco AnyConnect VPN CentOS 7 GNOME Desktop

I also have a similar page for installing Cisco Anyconnect VPN on a CentoOS "Server GUI" with KDE Desktop (different base install option).  You might want to look at that guide too.  It is simpler than this one.  Everything is done with YUM commands - no wget's.  It might also work on the GNOME desktop as well you can try it out instead of the below procedure.

This procedure was done on a brand-new install of CentOS7 on a Lenovo ThinkPad P70 laptop. 
This install of CentOS7 desktop was a straight-out-of-the box install with no tweaks at all wherein I selected the GNOME desktop option (not the Plasma!) and I selected a bunch of development tools and libraries as well, but everything was selected from the default installer menu, there were no hacks or tweaks.  It's a straightforward procedure not hard to do at all.  However,  I could not find anywhere on the web where all the steps were gathered in one place.  This should theoretically work for RedHat7 desktop and OracleLinux7 Desktop, but it is only tested on CentOS7 GNOME desktop.  The setup of Cisco AnyConnect VPN is detailed below.

Install EPEL RPM

Basically, this webpage here was the starting point which got this successful Cisco AnyConnect VPN configuration rolling.  The first step therefore is to install EPEL which more or less is a project of Fedora which provides a high-quality library of packages which are interoperable with CentOS7 and other similar Linuxes.    I downloaded the EPEL rpm from here, but for convenience I have attached it to this post as well just in case that link is down for any reason.  It's recommended to use the link instead of the copy attached to this post so that you get the latest EPEL from Fedora Genuine.  Now install EPEL as shown below.  Note that as dependencies EPEL will also install the packages VPNC and VPNC-SCRIPT.  That's a good thing those are also needed for Cisco Anyconnect so no worries.


[root@localhost Downloads]# rpm -Uvh epel-release-7-8.noarch.rpm

warning: epel-release-7-8.noarch.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:epel-release-7-8                 ################################# [100%]
[root@localhost Downloads]# yum install vpnc
Loaded plugins: fastestmirror, langpacks
epel/x86_64/metalink                                                                                                                                                                        |  14 kB  00:00:00    
epel                                                                                                                                                                                        | 4.3 kB  00:00:00    
(1/3): epel/x86_64/group_gz                                                                                                                                                                 | 170 kB  00:00:00    
(2/3): epel/x86_64/updateinfo                                                                                                                                                               | 594 kB  00:00:00    
(3/3): epel/x86_64/primary_db                                                                                                                                                               | 4.3 MB  00:00:00    
Loading mirror speeds from cached hostfile
 * base: mirror.beyondhosting.net
 * epel: muug.ca
 * extras: mirrors.liquidweb.com
 * updates: mirror.stjschools.org
Resolving Dependencies
--> Running transaction check
---> Package vpnc.x86_64 0:0.5.3-22.svn457.el7 will be installed
--> Processing Dependency: vpnc-script for package: vpnc-0.5.3-22.svn457.el7.x86_64
--> Running transaction check
---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                             Arch                                           Version                                                     Repository                                    Size
===================================================================================================================================================================================================================
Installing:
 vpnc                                                x86_64                                         0.5.3-22.svn457.el7                                            epel                                          85 k
Installing for dependencies:
 vpnc-script                                         noarch                                         0.5.3-22.svn457.el7                                         epel                                          14 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package (+1 Dependent package)

Total download size: 99 k
Installed size: 210 k
Is this ok [y/d/N]: y
Downloading packages:
warning: /var/cache/yum/x86_64/7/epel/packages/vpnc-0.5.3-22.svn457.el7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 352c64e5: NOKEY
Public key for vpnc-0.5.3-22.svn457.el7.x86_64.rpm is not installed
(1/2): vpnc-0.5.3-22.svn457.el7.x86_64.rpm                                                                                                                                                  |  85 kB  00:00:00    
(2/2): vpnc-script-0.5.3-22.svn457.el7.noarch.rpm                                                                                                                                           |  14 kB  00:00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              261 kB/s |  99 kB  00:00:00    
Retrieving key from file:///etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Importing GPG key 0x352C64E5:
 Userid     : "Fedora EPEL (7) <epel@fedoraproject.org>"
 Fingerprint: 91e9 7d7c 4a5e 96f1 7f3e 888f 6a2f aea2 352c 64e5
 Package    : epel-release-7-8.noarch (installed)
 From       : /etc/pki/rpm-gpg/RPM-GPG-KEY-EPEL-7
Is this ok [y/N]: y
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Warning: RPMDB altered outside of yum.
  Installing : vpnc-script-0.5.3-22.svn457.el7.noarch                                                                                                                                                          1/2
warning: /etc/vpnc/vpnc-script created as /etc/vpnc/vpnc-script.rpmnew
  Installing : vpnc-0.5.3-22.svn457.el7.x86_64                                                                                                                                                                 2/2
  Verifying  : vpnc-script-0.5.3-22.svn457.el7.noarch                                                                                                                                                          1/2
  Verifying  : vpnc-0.5.3-22.svn457.el7.x86_64                                                                                                                                                                 2/2

Installed:
  vpnc.x86_64 0:0.5.3-22.svn457.el7                                                                                                                                                                               

Dependency Installed:
  vpnc-script.noarch 0:0.5.3-22.svn457.el7                                                                                                                                                                        

Complete!
[root@localhost Downloads]#

Install Required Libraries and OpenConnect

I got the CentOS7 OpenConnect RPM from Springdale but there should be several places where it can be obtained.  This one I will also attach to this blog post so that the exact RPM that I used is available.  I did this configuration between midnight and 3AM this morning, so now in the afternoon I'm retracing my footsteps while it's still fresh to get this guide created.  However, I believe you can also get this same RPM from elders.princeton.edu.  So that's three places to get it - Springdale, Princeton, and here at this blog attached at the bottom of this page.  But you can't install it yet because unless you have previously done so, there are some libraries that will be needed to satisfy dependencies for the OpenConnect RPM.  Just so that you see what the issue is, below is an example of what you get when trying to install the OpenConnect RPM without the required libraries.  In a subsequent step below, those libraries will be easily obtained and then OpenConnect installed perfectly.


[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm

warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY
error: Failed dependencies:
    liblz4.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64
    libstoken.so.1()(64bit) is needed by openconnect-7.06-1.sdl7.x86_64
    libstoken.so.1(STOKEN_1.0)(64bit) is needed by openconnect-7.06-1.sdl7.x86_64

[root@localhost Downloads]#

Install lz4 Library

It's easy as shown below to get the lz4 library.  Just run the following command simply using yum to install the library as shown below.

[root@localhost Downloads]# yum install lz4

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.beyondhosting.net
 * epel: mirror.steadfast.net
 * extras: mirrors.liquidweb.com
 * updates: mirror.stjschools.org
Resolving Dependencies
--> Running transaction check
---> Package lz4.x86_64 0:r131-1.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                         Arch                                               Version                                                 Repository                                        Size
===================================================================================================================================================================================================================
Installing:
 lz4                                             x86_64                                             r131-1.el7                                              epel                                              70 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package

Total download size: 70 k
Installed size: 220 k
Is this ok [y/d/N]: y
Downloading packages:
lz4-r131-1.el7.x86_64.rpm                                                                                                                                                                   |  70 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : lz4-r131-1.el7.x86_64                                                                                                                                                                           1/1
  Verifying  : lz4-r131-1.el7.x86_64                                                                                                                                                                           1/1

Installed:
  lz4.x86_64 0:r131-1.el7                                                                                                                                                                                         

Complete!

Install libstoken Library

The libstoken library is also needed so install it simply using yum again as shown below.

[root@localhost Downloads]# yum install stoken-libs

Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.beyondhosting.net
 * epel: ca.mirror.babylon.network
 * extras: mirrors.liquidweb.com
 * updates: mirror.stjschools.org
Resolving Dependencies
--> Running transaction check
---> Package stoken-libs.x86_64 0:0.6-1.el7 will be installed
--> Processing Dependency: libtomcrypt.so.0()(64bit) for package: stoken-libs-0.6-1.el7.x86_64
--> Running transaction check
---> Package libtomcrypt.x86_64 0:1.17-23.el7 will be installed
--> Processing Dependency: libtommath >= 0.42.0 for package: libtomcrypt-1.17-23.el7.x86_64
--> Processing Dependency: libtommath.so.0()(64bit) for package: libtomcrypt-1.17-23.el7.x86_64
--> Running transaction check
---> Package libtommath.x86_64 0:0.42.0-4.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

===================================================================================================================================================================================================================
 Package                                              Arch                                            Version                                                  Repository                                     Size
===================================================================================================================================================================================================================
Installing:
 stoken-libs                                          x86_64                                          0.6-1.el7                                                epel                                           36 k
Installing for dependencies:
 libtomcrypt                                          x86_64                                          1.17-23.el7                                              epel                                          224 k
 libtommath                                           x86_64                                          0.42.0-4.el7                                             epel                                           35 k

Transaction Summary
===================================================================================================================================================================================================================
Install  1 Package (+2 Dependent packages)

Total download size: 296 k
Installed size: 707 k
Is this ok [y/d/N]: y
Downloading packages:
(1/3): libtomcrypt-1.17-23.el7.x86_64.rpm                                                                                                                                                   | 224 kB  00:00:00    
(2/3): libtommath-0.42.0-4.el7.x86_64.rpm                                                                                                                                                   |  35 kB  00:00:00    
(3/3): stoken-libs-0.6-1.el7.x86_64.rpm                                                                                                                                                     |  36 kB  00:00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              368 kB/s | 296 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : libtommath-0.42.0-4.el7.x86_64                                                                                                                                                                  1/3
  Installing : libtomcrypt-1.17-23.el7.x86_64                                                                                                                                                                  2/3
  Installing : stoken-libs-0.6-1.el7.x86_64                                                                                                                                                                    3/3
  Verifying  : libtommath-0.42.0-4.el7.x86_64                                                                                                                                                                  1/3
  Verifying  : libtomcrypt-1.17-23.el7.x86_64                                                                                                                                                                  2/3
  Verifying  : stoken-libs-0.6-1.el7.x86_64                                                                                                                                                                    3/3

Installed:
  stoken-libs.x86_64 0:0.6-1.el7                                                                                                                                                                                  

Dependency Installed:
  libtomcrypt.x86_64 0:1.17-23.el7                                                                         libtommath.x86_64 0:0.42.0-4.el7                                                                       

Complete!

Install vpnc-script

This section was added a few days later.  If you get a dependency error about "vpnc-script" then you will have to install that too.  Seems I may have overlooked that vpnc-script is a dependency or may have installed it earlier when I first worked this out (at 3AM or so) and discovered this while installing openconnect on another server. 

Use yum to install vpnc-script as shown below if the install of openconnect complains about vpnc-script dependency.  I've included the output that shows openconnect install failing due to the missing vpnc-script dependency for completeness.

[root@centos-72d ~]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm

warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY
error: Failed dependencies:
    vpnc-script is needed by openconnect-7.06-1.sdl7.x86_64

[root@centos-72d ~]# yum install vpnc-script
Loaded plugins: fastestmirror, langpacks
Loading mirror speeds from cached hostfile
 * base: mirror.eboundhost.com
 * epel: ftp.osuosl.org
 * extras: mirror.umd.edu
 * updates: mirror.tzulo.com
Resolving Dependencies
--> Running transaction check
---> Package vpnc-script.noarch 0:0.5.3-22.svn457.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

=============================================================================================================================================================================
 Package                                   Arch                                 Version                                             Repository                          Size
=============================================================================================================================================================================
Installing:
 vpnc-script                               noarch                               0.5.3-22.svn457.el7                                 epel                                14 k

Transaction Summary
=============================================================================================================================================================================
Install  1 Package

Total download size: 14 k
Installed size: 19 k
Is this ok [y/d/N]: y
Downloading packages:
vpnc-script-0.5.3-22.svn457.el7.noarch.rpm                                                                                                            |  14 kB  00:00:00    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : vpnc-script-0.5.3-22.svn457.el7.noarch                                                                                                                    1/1
  Verifying  : vpnc-script-0.5.3-22.svn457.el7.noarch                                                                                                                    1/1

Installed:
  vpnc-script.noarch 0:0.5.3-22.svn457.el7                                                                                                                                  

Complete!
[root@centos-72d ~]#

Install OpenConnect

Now the OpenConnect RPM can be installed successfully as shown below.

[root@localhost Downloads]# rpm -Uvh openconnect-7.06-1.sdl7.x86_64.rpm

warning: openconnect-7.06-1.sdl7.x86_64.rpm: Header V3 RSA/SHA256 Signature, key ID 41a40948: NOKEY
Preparing...                          ################################# [100%]
Updating / installing...
   1:openconnect-7.06-1.sdl7          ################################# [100%]
[root@localhost Downloads]# rpm -qa | egrep 'openconnect|vpnc'
openconnect-7.06-1.sdl7.x86_64
vpnc-script-0.5.3-22.svn457.el7.noarch
vpnc-0.5.3-22.svn457.el7.x86_64

[root@localhost Downloads]#

Test the Cisco AnyConnect VPN

This AnyConnect client has no GUI so it is just run from a terminal as root as shown below.  Name of the vpn server used for this example and other private information has been redacted in the example connection shown below.  When you get the "Established blah blah blah connection..." it means that the VPN is connected and ssh to servers and other resources such as websites on the VPN is now available.  Be sure to leave that terminal window open for the duration of the VPN session.  Closing that window terminates the VPN session.

[oracle@localhost Downloads]$ su - root
Password:
Last login: Sat Aug 13 19:57:21 EDT 2016 on pts/0

[root@localhost ~]# openconnect https://vpn.xxxxxxxxxxxx.com
POST https://vpn.xxxxxxxxxxxx.com/
Attempting to connect to server xx.xx.xxx.x:443
SSL negotiation with vpn.xxxxxxxxxxxx.com

Server certificate verify failed: signer not found                     <-- Means the VPN certificate for this VPN unsigned np...just answer yes below and continue...

Certificate from VPN server "vpn.xxxxxxxxxxxx.com" failed verification.
Reason: signer not found
Enter 'yes' to accept, 'no' to abort; anything else to view: yes
Connected to HTTPS on vpn.xxxxxxxxxxxx.com
XML POST enabled
Please enter your username and password.
GROUP: [datacenter|dmz|poc-mgmt|poc1|poc2|poc3|poc5|selfservice]:datacenter
POST https://vpn.xxxxxxxxxxxx.com/
XML POST enabled
Please enter your username and password.
Username:xxxxxxx
Password:

POST https://vpn.xxxxxxxxxxxx.com/
Got CONNECT response: HTTP/1.1 200 OK
CSTP connected. DPD 30, Keepalive 20
Connected tun0 as xx.xx.xxx.xx, using SSL

Established DTLS connection (using GnuTLS). Ciphersuite (DTLS0.9)-(RSA)-(AES-128-CBC)-(SHA1).

Manage File:  /etc/resolv.conf

The /etc/resolv.conf file may get updated with DNS servers for the VPN as shown below.  This overwrite blanks out my local nameserver for my laptop network so I need to add back in my local nameserver in the correct position (first) as shown below.  Note IP addresses of actual nameservers are redacted.  The /etc/resolv.conf says in its header that VPNC generated it so there may be some way to configure VPNC to add-in that extra local nameserver somehow and at some point I need to return and solve that issue so that it's not necessary to add the nameserver manually every time the VPN is connected.  The added nameserver must be added in the first position.

[root@stlns01 data]# cat /etc/resolv.conf

#@VPNC_GENERATED@ -- this file is generated by vpnc
# and will be overwritten by vpnc
# as long as the above mark is intact
# Generated by NetworkManager
search robinsystems.com. robinsystems.com
nameserver 10.207.39.1                       <-- This nameserver has been added back in manually with vi after VPN started
nameserver 10.7.10.21
nameserver 10.7.10.12

[root@stlns01 data]#

Comments, Questions, Observations

Please send me an email at gilstanden@hotmail.com if you find any errors or omissions in this procedure or to share your observations with it such as improvements or simplifications.



ċ
epel-release-7-8.noarch.rpm
(14k)
Gilbert Standen,
Aug 12, 2016, 11:52 PM
ċ
openconnect-7.06-1.sdl7.x86_64.rpm
(459k)
Gilbert Standen,
Aug 13, 2016, 5:28 PM
Comments